Guide -How to remove malware infection from WordPress

Everybody is aware pretty well that WordPress is an Open Source PHP CMS, which is highly vulnerable to the hacking all the time and no matter what you have implemented to protect your WordPress, there’s no denying that it may anytime fall into the lurking hacker’s prey. So anytime you need to rescue your website, it is of vital importance that you should be already familiar with the quick and sure-shot ways of salvage.

It is quite probable that you might be reading this article after your website has been hacked. So let’s cut to the chase and talk you through all the possible solutions and the ways to remove a possible malware from your blog;

A malicious plugin installed (use only well-reputed and top rated plugins)

A suddenly discovered vulnerability in some themes and plugins (for example timthumb script was found vulnerable back in 2012 and thousands of WordPress got hacked. Same thing happened with Revolution slider when a massive vulnerability was found in this plugin, though developer fixed it immediately yet there were many blog owners who wouldn’t update plugins and thus their websites bore the brunt.)

A web hosting with poor security – Yes, of course, your web hosting may be positively responsible for the hacking of your WordPress, if it doesn’t have proper security tools such as firewall, Bruit force detection and a good security team who keeps an eye on such matters (use only reliable web hosts)

Take a full backup of your WordPress

If you have access to WordPress admin panel

Use Updraftplus plugin to take backup of your site files and database. Downlaod the backup to your computer

If you don’t have access to WordPress dashboard

Use hosting file manager or FTP to download entire WordPress folder (specially …/wp-content/ folder and wp-config.php file). You will be lucky if you are using cPanel hosting as it is very easy to download large site with its file manager. all you need to do is creating a zip file of site and download it.

Request a full backup from your host

If you immediately come to know of your site being hacked, you can ask your hosting provider for the most recent backup of your website, which should be malware free. On restoring this backup, malware will be removed from your hosting account. But hold on, restoring malware free backup doesn’t fix the vulnerable WordPress files which attackers use to barge in. To this end, you will have to manually update WordPress core, themes and plugins. These two steps, restoring malware-free backup and manual update, almost guarantee that you can now breathe a sigh of relief.
If even after tapping these, the problem remains unresolved, don’t worry, we still have something to look to.

Reinstall WordPress core

I am not talking of updating WordPress from dashboard but deleting and uplading all WordPress core files manually via FTP or hosting file manager. Download latest copy of WordPress, extract files, upload and replace all the files other than wp-content folder. I repeat, don’t replace wp-content folder as it contains all your uploads, themes and plugins. Also create a backup of your wp-config.php and save it to your computer. After uploading and replacing all WordPress core files, copy the following information from your previous wp-config.php to the new wp-config.php;

Now login to your admin panel and reset your permalink structure to default and then again set it to your previous. This will create your .htaccess file

Reinstall all plugins and theme

First make a list of all of your active WordPress plugins and theme

Potentially a theme or a plugin may work as a backdoor. So delete them all and download the latest theme and plugins to your WordPress. Keep in mind that if you are using pirated theme or any such plugin, there may be huge chances of one of them containing malicious code. So avoid using them.

Also make sure that no unknown php file or folder should be present in ……../wp-content/plugins/ …../wp-content/themes/ directory. If found, delete it.

Delete additional files in wp-content folder

(other than uploads, updated theme and plugins)

There may be many other files in wp-content folder other than uploads, themes and plugins. You should delete them all.

Now scan your uploads folder

You need to scan the uploads folder for a possible malware. Usually uploads folder does not have php files . So delete all php files in wp-content folder. Now, you may be wondering how you would find all possible php files in this folder as the size of your uploads folder is much larger.

How to find and remove php files in a specific folder;

1.Using cPanel file manager

You can do it with cPanel file manager. Type .php in search bar and select current directory and file manager will show all the php files

2.Using FileZilla file filter

FileZilla does amazing job if you want to filter specific file type and want to delete only specific file type in bulk. Here is how to use FileZilla file filter;

Another way to discover php files in uploads folder is using Windows search. Download “uploads” folder in PC and use Windows explorer search to list php files.

After cleaning your wp-content folder and reinstalling the theme and plugins, also install a security plugin named Anti-Malware and Brute-Force Security by ELIand then scan your WordPress with this plugin. This plugin can detect many known threats and trapdoors and fix them all. It can update your outdated timthumb script too.

Check for a hidden admin

How to find and delete hidden admin user in WordPress

Some time after getting access via backdoor, a hacker creates a hidden admin user and make changes to your WordPress silently. You need to remove this user.

Go to WordPress admin dashboard > Users

Press Ctrl+U to show the source of that page and find the following line of code;

<tbody id=”the-list” data-wp-lists=’list:user’>

Here you will see all users and every user will be shown like this;

<tr id=’user-1′>

Where 1 is the ID of a user

Note all the user IDs from the page source and then match up these IDs with the IDs on the user list page. If you find an ID that is not available in the users list then make a note of it.

Now go to your hosting account > phpMyadmin and select your WordPress database, click on the table wp-users and go to SQL tab

Here on SQL tab, run the following SQL query to list all the admin users;

select * from wp_usermeta where meta_value LIKE ‘%administrator%’;

Here replace wp_ with the table prefix of your WordPress

this SQL query lists all the admin users with their IDs. Now delete any admin user who was not present in the users list in admin dashboard and probably found in page source code

Check for a malicious user

If you have enabled user registration and there are many users on your WordPress website, zoom in on a suspicious user even if it is a user subscribed user. Some hackers register on your WordPress and execute malicious script exploiting any vulnerability in theme or any plugin. You can use Stop Spammers plugin to list spam users and subsequently delete them.

Stop PHP execution in wp-content/uploads and wp-includes directories

Create an .htaccess file and add the following code to it;

<Files *.php> deny from all </Files>

Then upload this file to wp-includes and uploads folder. This will stop hackers from executing malicious PHP code in these directories

If odds are in your favor, we are quite sure that Your WordPress should be unhacked and have shaken off anything malicious after you have given this method a go.

Final Step – Use Wordfence and Cerber Security WordPress plugins

Wordfence and Cerber Security (install them from WordPress repository) are amazing free security plugins for WordPress and they not only harden WordPress security but also patches security holes and vulnerabilities in WordPress. With the help of these plugins we can keep our self hosted WordPress safe 99%.

How to remove a malicious or spammy link added to your posts content by hackers

Sometimes hackers inject their links in your database to get clicks on those links from your website. It may be fatal in terms of SEO as Google always keeps an eye on the outgoing links from your website.

Finding suspicious links

There is no foolproof way to find this kind of links but you can catch them via your traffic analytics service such as Jetpack powered WordPress Stats or Google Analytics. Observe out-clicks from your website and if you find any link that appears suspicious, make a note of it.

Now go to WordPress dashboard > Tool > Export > Download XML file

Open this XML file in notepad or any other text editor and now use “Find” option and look for the noted link

This link will appear highlighted and you will pick out the position of that link.

Quick tips to safeguard your WordPress from malwares and hackers

Always keep your theme, plugins and WordPress up to date

Only use plugins from verified authors, avoid using plugins from unknown sources

Use a reliable web hosting to host your WordPress

Use Sucuri website security plugin to tighten the security of your blog.

Disable php execution in uploads folder (create a .htaccess file in wp-content/uploads directory and add the following code to it;

<Files *.php>
deny from all
</Files>

If you have enabled user registrations on your website, use Stop Spammers plugin

Shams, a professional blogger, has expertise in WordPress and Web Hosting. He is used to playing around with WordPress plugins, themes, web hosting services and some other innovative stuff regarding web design. He sifts out good stuff for web designers and reviews it to help them choose what they really need.

Being an energetic tech enthusiast, he regularly pens down breaking news and tutorials related to technology particularly Smartphones and other gadgets. Sometimes writes tech tips too. It was the dawn of Internet age when he started dabbling in it and has since been delving into the realm of the internet. He occupies a permanent burrow in virtual world.